move raspios and openwrt folders to installer/

16 files changed, 704 insertions, 0 deletions

diff --git a/roles/installer/openwrt/deploy/action_plugins/openwrt_sysupgrade.py b/roles/installer/openwrt/deploy/action_plugins/openwrt_sysupgrade.py
new file mode 100644
index 00000000..16772937
--- /dev/null
+++ b/roles/installer/openwrt/deploy/action_plugins/openwrt_sysupgrade.py
@@ -0,0 +1,57 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+
+from ansible.errors import AnsibleError, AnsibleAction, AnsibleActionFail, AnsibleActionSkip, AnsibleConnectionFailure
+from ansible.module_utils._text import to_native
+from ansible.plugins.action import ActionBase
+
+
+class ActionModule(ActionBase):
+    TRANSFERS_FILES = True
+
+    def run(self, tmp=None, task_vars=None):
+        if task_vars is None:
+            task_vars = dict()
+
+        if self._task.environment and any(self._task.environment):
+            self._display.warning('openwrt_sysupgrade module does not support the environment keyword')
+
+        result = super(ActionModule, self).run(tmp, task_vars)
+        del tmp  # tmp no longer has any effect
+        self._cleanup_remote_tmp = False
+
+        try:
+            if self._play_context.check_mode:
+                raise AnsibleActionSkip('Check mode is not supported for this task.')
+
+            result['changed'] = True
+
+            try:
+                image = to_native(self._task.args.get('image', ''), errors='surrogate_or_strict')
+                image = self._loader.get_real_file(self._find_needle('files', image), decrypt=False)
+            except AnsibleError as e:
+                raise AnsibleActionFail(to_native(e))
+
+            tmp_img = self._connection._shell.join_path(self._connection._shell.tmpdir, os.path.basename(image))
+            self._transfer_file(image, tmp_img)
+            self._fixup_perms2((self._connection._shell.tmpdir, tmp_img), execute=False)
+
+            args = to_native(self._task.args.get('args', ''), errors='surrogate_or_strict')
+
+            script_cmd = ' '.join(['sysupgrade', args, tmp_img])
+            script_cmd = self._connection._shell.wrap_for_exec(script_cmd)
+
+            try:
+                result.update(self._low_level_execute_command(cmd=script_cmd))
+            except AnsibleConnectionFailure as e:
+                result['rc'] = 0
+
+            if 'rc' in result and result['rc'] != 0:
+                raise AnsibleActionFail('non-zero return code')
+
+        except AnsibleAction as e:
+            result.update(e.result)
+
+        return result
diff --git a/roles/installer/openwrt/deploy/tasks/main.yml b/roles/installer/openwrt/deploy/tasks/main.yml
new file mode 100644
index 00000000..06fb28ad
--- /dev/null
+++ b/roles/installer/openwrt/deploy/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: copy image and run sysupgrade
+  openwrt_sysupgrade:
+    image: "{{ output_images | first }}"
+    args: -n
diff --git a/roles/installer/openwrt/image/README.md b/roles/installer/openwrt/image/README.md
new file mode 100644
index 00000000..95d9d106
--- /dev/null
+++ b/roles/installer/openwrt/image/README.md
@@ -0,0 +1,8 @@
+# Build OpenWRT images with Ansible
+
+TODO: add possibility to disable root logins using /etc/shadow
+      this will also take care of the annoying
+         "There is no root password defined ..."
+      message when you log in.
+
+## Configuration
diff --git a/roles/installer/openwrt/image/defaults/main.yml b/roles/installer/openwrt/image/defaults/main.yml
new file mode 100644
index 00000000..9f867053
--- /dev/null
+++ b/roles/installer/openwrt/image/defaults/main.yml
@@ -0,0 +1,19 @@
+---
+openwrt_variant: openwrt
+openwrt_release: "{{ install_codename }}"
+openwrt_download_dir: "{{ global_cache_dir }}/openwrt"
+openwrt_tarball_basename: "{{ openwrt_variant }}-imagebuilder-{{ openwrt_release }}-{{ openwrt_arch }}-{{ openwrt_target }}.Linux-x86_64"
+openwrt_tarball_name: "{{ openwrt_tarball_basename }}.tar.xz"
+openwrt_target: generic
+
+openwrt_output_dir: "{{ global_artifacts_dir }}/{{ inventory_hostname }}/openwrt"
+openwrt_output_image_name_base: "{{ openwrt_variant }}-{{ openwrt_release }}-{{ openwrt_arch }}{% if openwrt_target != 'generic' %}-{{ openwrt_target }}{% endif %}"
+openwrt_output_image_suffixes:
+  - squashfs-sysupgrade.bin
+  - squashfs-factory.bin
+
+openwrt_packages_remove: []
+openwrt_packages_add: []
+openwrt_packages_extra: []
+
+openwrt_keep_temporary_build_dir: false
diff --git a/roles/installer/openwrt/image/tasks/fetch.yml b/roles/installer/openwrt/image/tasks/fetch.yml
new file mode 100644
index 00000000..1dc5728d
--- /dev/null
+++ b/roles/installer/openwrt/image/tasks/fetch.yml
@@ -0,0 +1,57 @@
+---
+- name: Create download directory
+  file:
+    dest: "{{ openwrt_download_dir }}"
+    state: directory
+
+- name: download the openwrt image builder
+  block:
+  - name: Generate OpenWrt download URLs
+    set_fact:
+      openwrt_url:
+        https://downloads.openwrt.org/releases/{{ openwrt_release }}/targets/{{ openwrt_arch | mandatory }}/{{ openwrt_target }}
+
+  - name: Download sha256sums
+    get_url:
+      url: "{{ openwrt_url }}/sha256sums"
+      dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256"
+
+  - name: Download sha256sums.asc
+    get_url:
+      url: "{{ openwrt_url }}/sha256sums.asc"
+      dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
+
+  - name: Check OpenPGP signature
+    command: >-
+      gpgv --keyring "{{ global_files_dir }}/common/keyrings/openwrt-{{ [0, 1] | map('extract', (openwrt_release | split('.'))) | join('.') }}.gpg"
+          "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256"
+    changed_when: False
+    register: openwrt_image_gpg_result
+
+  - debug:
+      var: openwrt_image_gpg_result.stderr_lines
+
+  - name: Extract SHA256 hash of the imagebuilder archive
+    command: grep '{{ openwrt_tarball_name }}' "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256"
+    changed_when: False
+    register: sha256
+
+  - name: Download imagebuilder
+    get_url:
+      url: "{{ openwrt_url }}/{{ openwrt_tarball_name }}"
+      dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}"
+      checksum: sha256:{{ sha256.stdout.split(' ') | first }}
+
+  rescue:
+  - name: Delete downloaded artifacts
+    loop:
+      - "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256"
+      - "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
+      - "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}"
+    file:
+      path: "{{ item }}"
+      state: absent
+
+  - name: the download has failed...
+    fail:
+      msg: Something borked
diff --git a/roles/installer/openwrt/image/tasks/main.yml b/roles/installer/openwrt/image/tasks/main.yml
new file mode 100644
index 00000000..5bf07d04
--- /dev/null
+++ b/roles/installer/openwrt/image/tasks/main.yml
@@ -0,0 +1,65 @@
+---
+- name: fetch imagebuilder
+  when: openwrt_imgbuilder_tarball is not defined
+  run_once: true
+  import_tasks: fetch.yml
+
+- name: build the image
+  block:
+  - import_tasks: prepare.yml
+
+  - name: Create the output directory for built images
+    file:
+      path: "{{ openwrt_output_dir }}"
+      state: directory
+
+  - name: generate list of packages to add or remove
+    set_fact:
+      openwrt_packages: >-
+        {{ openwrt_packages_remove | map('regex_replace', '^', '-') | join(' ') }}
+        {{ openwrt_packages_add   | join(' ') }}
+        {{ openwrt_packages_extra | join(' ') }}
+
+  - name: Build the OpenWrt image
+    command: >-
+      make -C {{ openwrt_imgbuilder_dir }}/{{ openwrt_tarball_basename }} image
+        {% if openwrt_profile is defined %}PROFILE="{{ openwrt_profile }}" {% endif %}
+        FILES="{{ openwrt_imgbuilder_files }}"
+        PACKAGES="{{ openwrt_packages }}"
+        {% if openwrt_extra_name is defined %} EXTRA_IMAGE_NAME="{{ openwrt_extra_name }}" {% endif %}
+        {% if openwrt_rootfs_partsize is defined %} ROOTFS_PARTSIZE="{{ openwrt_rootfs_partsize }}" {% endif %}
+    register: openwrt_build
+
+  - name: Copy newly built OpenWrt image
+    loop: "{{ openwrt_output_image_suffixes }}"
+    copy:
+      src: "{{ openwrt_imgbuilder_dir }}/{{ openwrt_tarball_basename }}/bin/targets/{{ openwrt_arch }}/{{ openwrt_target }}/{{ openwrt_output_image_name_base }}-{{ item }}"
+      dest: "{{ openwrt_output_dir }}"
+
+  - name: set output image names
+    set_fact:
+      output_images: "{{ [(openwrt_output_dir, openwrt_output_image_name_base) | path_join | realpath] | product(openwrt_output_image_suffixes) | map('join', '-') }}"
+
+  always:
+  - name: save stdout build-log to output directory
+    when: openwrt_build is defined
+    copy:
+      content: "{{ openwrt_build.stdout }}\n"
+      dest: "{{ openwrt_output_dir }}/build-stdout.log"
+
+  - name: save stderr build-log to output directory
+    when: openwrt_build is defined
+    copy:
+      content: "{{ openwrt_build.stderr }}\n"
+      dest: "{{ openwrt_output_dir }}/build-stderr.log"
+
+  - name: delete the temporary build directory
+    when: not openwrt_keep_temporary_build_dir
+    file:
+      path: "{{ openwrt_imgbuilder_dir }}"
+      state: absent
+
+  - name: print temporary build directory information
+    when: openwrt_keep_temporary_build_dir
+    debug:
+      msg: "The temporary build directory has not been deleted, the path to the directory is: {{ openwrt_imgbuilder_dir }}"
diff --git a/roles/installer/openwrt/image/tasks/prepare.yml b/roles/installer/openwrt/image/tasks/prepare.yml
new file mode 100644
index 00000000..f685540c
--- /dev/null
+++ b/roles/installer/openwrt/image/tasks/prepare.yml
@@ -0,0 +1,110 @@
+---
+- name: Create temporary build directory
+  tempfile:
+    state: directory
+  register: tmpdir
+
+- name: set variables needed to build images
+  set_fact:
+    openwrt_imgbuilder_dir:   "{{ tmpdir.path }}"
+    openwrt_imgbuilder_files: "{{ tmpdir.path }}/files"
+
+- name: Create the directories for mixins
+  loop: "{{ mixin_directories | flatten }}"
+  vars:
+    mixin_directories:
+    - "{{ openwrt_download_dir }}/dl/{{ openwrt_arch }}"
+    - "{{ openwrt_imgbuilder_files }}/etc/config"
+    - "{{ openwrt_mixin | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}"
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+
+
+- name: Copy mixins in place [1/3]
+  loop: "{{ openwrt_mixin | dict2items | selectattr('value.link', 'defined') | list }}"
+  loop_control:
+    label: "{{ item.key }}"
+  file:
+    dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}"
+    src: "{{ item.value.link }}"
+    force: yes
+    follow: no
+    state: link
+
+- name: Copy mixins in place [2/3]
+  loop: "{{ openwrt_mixin | dict2items | selectattr('value.file', 'defined') | list }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    src: "{{ item.value.file }}"
+    dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}"
+    mode: "{{ item.value.mode | default('0644') }}"
+
+- name: Copy mixins in place [3/3]
+  loop: "{{ openwrt_mixin | dict2items | selectattr('value.content', 'defined') | list }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: "{{ item.value.content }}"
+    dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}"
+    mode: "{{ item.value.mode | default('0644') }}"
+
+- name: Generate /etc/fstab
+  when: openwrt_mounts is defined
+  loop: "{{ openwrt_mounts }}"
+  loop_control:
+    label: "{{ item.path }}"
+  mount:
+    fstab: "{{ openwrt_imgbuilder_files }}/etc/fstab"
+    state: present
+    src: "{{ item.src | default(omit) }}"
+    path: "{{ item.path | default(omit) }}"
+    fstype: "{{ item.fstype | default(omit) }}"
+    opts: "{{ item.opts | default(omit) }}"
+    boot: "{{ item.boot | default(omit) }}"
+    dump: "{{ item.dump | default(omit) }}"
+    passno: "{{ item.passno | default(omit) }}"
+
+
+- name: Create UCI configuration files
+  loop: "{{ openwrt_uci | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  template:
+    src: uci.j2
+    dest: "{{ openwrt_imgbuilder_files }}/etc/config/{{ item.key }}"
+    mode: 0644
+    trim_blocks: yes
+#   force: no  ## TODO: fail when overwriting a file
+
+- name: Create /etc/passwd
+  when: openwrt_users is defined
+  template:
+    src: passwd.j2
+    dest: "{{ openwrt_imgbuilder_files }}/etc/passwd"
+    mode: 0644
+    trim_blocks: yes
+
+- name: Create /etc/group
+  when: openwrt_groups is defined or openwrt_users is defined
+  template:
+    src: group.j2
+    dest: "{{ openwrt_imgbuilder_files }}/etc/group"
+    mode: 0644
+    trim_blocks: yes
+
+- name: extract image builder tarball
+  environment: ### TODO: remove once this lands in ansible: https://github.com/ansible/ansible/pull/76542
+    LANGUAGE: en_US.utf8
+  unarchive:
+    src:  "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}"
+    remote_src: yes
+    dest: "{{ openwrt_imgbuilder_dir }}"
+
+- name: Symlink the cache repository
+  file:
+    state: link
+    src: "{{ openwrt_download_dir }}/dl/{{ openwrt_arch }}"
+    path: "{{ openwrt_imgbuilder_dir }}/{{ openwrt_tarball_basename }}/dl"
diff --git a/roles/installer/openwrt/image/templates/group.j2 b/roles/installer/openwrt/image/templates/group.j2
new file mode 100644
index 00000000..cb433b88
--- /dev/null
+++ b/roles/installer/openwrt/image/templates/group.j2
@@ -0,0 +1,21 @@
+{{ ansible_managed | comment }}
+root:x:0:
+daemon:x:1:
+adm:x:4:
+mail:x:8:
+audio:x:29:
+www-data:x:33:
+ftp:x:55:
+users:x:100:
+network:x:101:
+{% for name, opt in openwrt_users.items() %}
+{% if 'group_id' not in opt %}
+{{ name }}:x:{{ opt.id | default(loop.index + 110) }}:
+{% endif %}
+{% endfor %}
+{% if openwrt_groups is defined %}
+{% for name, opt in openwrt_groups.items() %}
+{{ name }}:x:{{ opt.id | default(loop.index + 200) }}:
+{% endfor %}
+{% endif %}
+nogroup:x:65534:
diff --git a/roles/installer/openwrt/image/templates/passwd.j2 b/roles/installer/openwrt/image/templates/passwd.j2
new file mode 100644
index 00000000..9beaeb61
--- /dev/null
+++ b/roles/installer/openwrt/image/templates/passwd.j2
@@ -0,0 +1,9 @@
+{{ ansible_managed | comment }}
+root:x:0:0:root:/root:/bin/ash
+daemon:*:1:1:daemon:/var:/bin/false
+ftp:*:55:55:ftp:/home/ftp:/bin/false
+network:*:101:101:network:/var:/bin/false
+{% for name, opt in openwrt_users.items() %}
+{{ name }}:*:{{ opt.id | default(loop.index + 110) }}:{{ opt.gid | default(loop.index + 110) }}:{{ name }}:{{ opt.home | default('/nonexistent') }}:{{ opt.shell | default('/bin/false') }}
+{% endfor %}
+nobody:*:65534:65534:nobody:/var:/bin/false
diff --git a/roles/installer/openwrt/image/templates/uci.j2 b/roles/installer/openwrt/image/templates/uci.j2
new file mode 100644
index 00000000..3cc480b2
--- /dev/null
+++ b/roles/installer/openwrt/image/templates/uci.j2
@@ -0,0 +1,15 @@
+{{ ansible_managed | comment }}
+
+{% for section in item.value %}
+config {{ section.name }}
+{% for option, value in section.options.items() %}
+{%   if value is iterable and value is not string %}
+{%      for v in value %}
+  list {{ option }} '{{ v }}'
+{%      endfor %}
+{%   else %}
+  option {{ option }} '{{ value }}'
+{%   endif %}
+{% endfor %}
+
+{% endfor %}
diff --git a/roles/installer/raspios/image/defaults/main.yml b/roles/installer/raspios/image/defaults/main.yml
new file mode 100644
index 00000000..3f6ab3a3
--- /dev/null
+++ b/roles/installer/raspios/image/defaults/main.yml
@@ -0,0 +1,17 @@
+---
+raspios_variant: lite ## (lite|desktop|full)
+raspios_codename: "{{ install_codename }}"
+# raspios_arch: (arm64|armhf)
+raspios_download_dir: "{{ global_cache_dir }}/raspios"
+
+raspios_output_dir: "{{ global_artifacts_dir }}/{{ inventory_hostname }}/raspios"
+
+raspios_keep_boot_dir_mounted: no
+
+# raspios_boot_config:
+#   - regexp: '^#dtparam=i2c_vc'
+#     line: 'dtparam=i2c_vc=on'
+
+raspios_locale: en_US.UTF-8
+raspios_timezone: Europe/Vienna
+raspios_keyboard_layout: de
diff --git a/roles/installer/raspios/image/filter_plugins/main.py b/roles/installer/raspios/image/filter_plugins/main.py
new file mode 100644
index 00000000..5ac2d5ab
--- /dev/null
+++ b/roles/installer/raspios/image/filter_plugins/main.py
@@ -0,0 +1,51 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+from ansible import errors
+from urllib.parse import urlparse, urlunparse
+
+
+def _raspios_extract_latest_image_download_url_recursive(items, image_name_suffix):
+    for item in items:
+        if not item['name'].startswith('Raspberry Pi OS '):
+            continue
+
+        if 'url' in item:
+            result = urlparse(item['url'])
+            if not os.path.basename(result.path).endswith(image_name_suffix):
+                continue
+
+            return urlunparse(result)
+        if 'subitems' in item:
+            result = _raspios_extract_latest_image_download_url_recursive(item['subitems'], image_name_suffix)
+            if result:
+                return result
+    return None
+
+
+def raspios_extract_latest_image_download_url(os_list, variant, codename, arch):
+    try:
+        image_name_suffix = 'raspios-%s-%s' % (codename, arch)
+        if variant != 'desktop':
+            image_name_suffix += '-%s' % variant
+        image_name_suffix += '.img.xz'
+
+        result = _raspios_extract_latest_image_download_url_recursive(os_list, image_name_suffix)
+        if result:
+            return result
+
+    except Exception as e:
+        raise errors.AnsibleFilterError("raspios_extract_latest_image_download_url: %s" % str(e))
+
+    raise errors.AnsibleFilterError("unable to find latest image url for: %s" % (base_url))
+
+
+class FilterModule(object):
+
+    filter_map = {
+        'raspios_extract_latest_image_download_url': raspios_extract_latest_image_download_url,
+    }
+
+    def filters(self):
+        return self.filter_map
diff --git a/roles/installer/raspios/image/tasks/fetch.yml b/roles/installer/raspios/image/tasks/fetch.yml
new file mode 100644
index 00000000..bbde6bdf
--- /dev/null
+++ b/roles/installer/raspios/image/tasks/fetch.yml
@@ -0,0 +1,60 @@
+---
+- name: Create download directory
+  file:
+    dest: "{{ raspios_download_dir }}"
+    state: directory
+
+- name: fetch imageutility os list from download server
+  check_mode: no
+  uri:
+    url: "{{ raspios_download_url }}/os_list_imagingutility_v4.json"
+    body_format: json
+  register: raspios_os_list_imagingutility
+
+- set_fact:
+    raspios_download_url_image: "{{ raspios_os_list_imagingutility.json.os_list | raspios_extract_latest_image_download_url(raspios_variant, raspios_codename, raspios_arch) }}"
+
+- name: download the raspios image
+  block:
+  - name: download sha256sum and signature
+    loop:
+    - sha256
+    - sig
+    get_url:
+      url: "{{ raspios_download_url_image }}.{{ item }}"
+      dest: "{{ raspios_download_dir }}/{{ raspios_download_image_base_name }}.{{ item }}"
+
+  - name: extract SHA256 hash of the image archive
+    command: grep '{{ raspios_download_image_base_name }}' "{{ raspios_download_dir }}/{{ raspios_download_image_base_name }}.sha256"
+    changed_when: False
+    register: sha256
+
+  - name: download image
+    get_url:
+      url: "{{ raspios_download_url_image }}"
+      dest: "{{ raspios_download_dir }}/{{ raspios_download_image_base_name }}"
+      checksum: sha256:{{ sha256.stdout.split(' ') | first }}
+
+  - name: check OpenPGP signature
+    command: >-
+      gpgv --keyring "{{ global_files_dir }}/common/keyrings/raspberrypi-downloads.gpg"
+          "{{ raspios_download_dir }}/{{ raspios_download_image_base_name }}.sig" "{{ raspios_download_dir }}/{{ raspios_download_image_base_name }}"
+    changed_when: False
+    register: raspios_image_gpg_result
+
+  - debug:
+      var: raspios_image_gpg_result.stderr_lines
+
+  rescue:
+  - name: delete downloaded artifacts
+    loop:
+      - "{{ raspios_download_dir }}/{{ raspios_download_image_base_name }}-sha256"
+      - "{{ raspios_download_dir }}/{{ raspios_download_image_base_name }}.sig"
+      - "{{ raspios_download_dir }}/{{ raspios_download_image_base_name }}"
+    file:
+      path: "{{ item }}"
+      state: absent
+
+  - name: the download has failed...
+    fail:
+      msg: Something borked
diff --git a/roles/installer/raspios/image/tasks/main.yml b/roles/installer/raspios/image/tasks/main.yml
new file mode 100644
index 00000000..b8296f9a
--- /dev/null
+++ b/roles/installer/raspios/image/tasks/main.yml
@@ -0,0 +1,103 @@
+---
+- name: check if host is member of the raspios group
+  assert:
+    msg: "please add the host to the group 'raspios'"
+    that:
+    - "'raspios' in group_names"
+
+- name: fetch base image
+  run_once: true
+  import_tasks: fetch.yml
+
+- name: build the image
+  block:
+  - name: create the output directory for built images
+    file:
+      path: "{{ raspios_output_dir }}"
+      state: directory
+
+  - name: extract image
+    decompress:
+      src: "{{ raspios_download_dir }}/{{ raspios_download_image_base_name }}"
+      dest: "{{ raspios_output_dir }}"
+      force: yes
+    register: raspios_image_extract
+
+  - set_fact:
+      raspios_output_image_base_name: "{{ raspios_image_extract.files | first | basename }}"
+
+  - name: read partition layout from image
+    command: "sfdisk -q -r -J '{{ raspios_output_dir }}/{{ raspios_output_image_base_name }}'"
+    register: raspios_image_sfdisk
+
+  - set_fact:
+      raspios_image_partitions: "{{ (raspios_image_sfdisk.stdout | from_json)['partitiontable']['partitions'] }}"
+
+  - name: bind loop device for boot partition
+    command: "udisksctl loop-setup --no-user-interaction -o {{ raspios_image_partitions[0].start * 512 }} -s {{ raspios_image_partitions[0].size * 512 }} -f '{{ raspios_output_dir }}/{{ raspios_output_image_base_name }}'"
+    register: raspios_image_loop_setup
+
+  - set_fact:
+      raspios_image_loop_device: "{{ raspios_image_loop_setup.stdout | regex_search('as (/dev/loop[0-9]+)\\.$', '\\1') | first }}"
+
+  - name: mount boot partition
+    command: "udisksctl mount --no-user-interaction -b '{{ raspios_image_loop_device }}'"
+    register: raspios_image_mount
+
+  - set_fact:
+      raspios_image_mount_point: "{{ raspios_image_mount.stdout | regex_search('at (/media/.+)\\.?$', '\\1') | first }}"
+
+  - name: edit boot/config.txt
+    when: raspios_boot_config is defined
+    loop: "{{ raspios_boot_config }}"
+    loop_control:
+      label: "{{ item.line }}"
+    lineinfile:
+      path: "{{ raspios_image_mount_point }}/config.txt"
+      regexp: "{{ item.regexp }}"
+      line: "{{ item.line }}"
+
+  - name: Generate authorized_keys file
+    authorized_key:
+      user: root
+      manage_dir: no
+      path: "{{ raspios_image_mount_point }}/firstrun.authorized_keys"
+      key: "{{ ssh_keys_root | join('\n') }}"
+
+  - name: install firstrun.sh script
+    template:
+      src: firstrun.sh.j2
+      dest: "{{ raspios_image_mount_point }}/firstrun.sh"
+      mode: 0755
+
+  - name: edit boot/cmdline.txt
+    lineinfile:
+      path: "{{ raspios_image_mount_point }}/cmdline.txt"
+      regexp: '^(.*)( systemd.run=/boot/firstrun.sh systemd.run_success_action=reboot systemd.run_failure_action=none systemd.unit=kernel-command-line.target)?(.*?)$'
+      backrefs: yes
+      line: '\1 systemd.run=/boot/firstrun.sh systemd.run_success_action=reboot systemd.run_failure_action=none systemd.unit=kernel-command-line.target \3'
+
+  always:
+  - name: unmount image
+    when:
+    - not raspios_keep_boot_dir_mounted
+    - raspios_image_mount_point is defined
+    - raspios_image_mount_point is mount
+    command: "udisksctl unmount --no-user-interaction -b '{{ raspios_image_loop_device }}'"
+
+  - name: delete loop_device
+    when:
+    - not raspios_keep_boot_dir_mounted
+    - raspios_image_loop_device is defined
+    command: "udisksctl loop-delete --no-user-interaction -b '{{ raspios_image_loop_device }}'"
+
+  - name: print temporary build directory information
+    when:
+    - raspios_keep_boot_dir_mounted
+    debug:
+      msg: "As per request the boot partition of the image is still mounted to: {{ raspios_image_mount_point }}"
+
+- name: set output image names
+  set_fact:
+    output_images:
+    - "{{ (raspios_output_dir, raspios_output_image_base_name) | path_join | realpath }}"
diff --git a/roles/installer/raspios/image/templates/firstrun.sh.j2 b/roles/installer/raspios/image/templates/firstrun.sh.j2
new file mode 100644
index 00000000..bc35b764
--- /dev/null
+++ b/roles/installer/raspios/image/templates/firstrun.sh.j2
@@ -0,0 +1,103 @@
+#!/bin/bash
+set +e
+
+if [ -x /usr/lib/raspberrypi-sys-mods/get_fw_loc ]; then
+  FW_LOC=$(/usr/lib/raspberrypi-sys-mods/get_fw_loc)
+else
+  FW_LOC=/boot
+fi
+
+raspi-config nonint do_hostname "{{ host_name }}"
+echo "{{ host_name }}" > /etc/hostname
+raspi-config nonint do_change_locale "{{ raspios_locale }}"
+raspi-config nonint do_change_timezone "{{ raspios_timezone }}"
+raspi-config nonint do_configure_keyboard "{{ raspios_keyboard_layout }}"
+
+{# 0 -> predictable interface names, 1 -> legacy (eth0...) #}
+raspi-config nonint do_net_names 1
+
+{% if raspios_codename == 'bullseye' %}
+{%   if not (install_dhcp | default(false)) %}
+cat <<EOF >> /etc/dhcpcd.conf
+
+#
+interface {{ network.primary.name }}
+static ip_address={{ network.primary.address }}
+static routers={{ network.primary.gateway }}
+static domain_name_servers={{ network.nameservers | join(' ') }}
+EOF
+systemctl restart dhcpcd.service
+{%   endif %}
+systemctl disable hciuart.service
+{%   if 'wifi' in network.primary %}
+raspi-config nonint do_wifi_ssid_passphrase "{{ network.primary.wifi.ssid }}" "{{ network.primary.wifi.key }}"
+raspi-config nonint do_wifi_country "AT"
+{%   else %}
+systemctl disable wpa_supplicant.service
+{%   endif %}
+{% else %}
+cat <<EOF >> /etc/network/interfaces
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+auto {{ network.primary.name }}
+{%   if (install_dhcp | default(false)) %}
+iface {{ network.primary.name }} inet dhcp
+{%   else %}
+iface {{ network.primary.name }} inet static
+  up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
+  up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
+  address {{ network.primary.address | ansible.utils.ipaddr('address') }}
+  netmask {{ network.primary.address | ansible.utils.ipaddr('netmask') }}
+  gateway {{ network.primary.gateway }}
+{%   endif %}
+{%   if 'wifi' in network.primary %}
+  wpa-ssid {{ network.primary.wifi.ssid }}
+  wpa-psk {{ network.primary.wifi.key }}
+{%   endif %}
+EOF
+{%   if not (install_dhcp | default(false)) %}
+cat <<EOF > /etc/resolv.conf
+# Generated by ansible
+search {{ network.domain }}
+{%     for nameserver in network.nameservers %}
+nameserver {{ nameserver }}
+{%     endfor %}
+EOF
+{%   endif %}
+systemctl disable wpa_supplicant.service
+rfkill unblock wlan
+ifup {{ network.primary.name }}
+{% endif %}
+
+{% if ansible_port != 22 %}
+sed -e 's/^\s*#*\s*Port\s\s*[0-9][0-9]*$/Port {{ ansible_port }}/' -i /etc/ssh/sshd_config
+{% endif %}
+install -m 0700 -d /root/.ssh
+install -m 0644 "$FW_LOC/firstrun.authorized_keys" /root/.ssh/authorized_keys
+{# 0 -> enable ssh, 1 -> disable ssh #}
+raspi-config nonint do_ssh 0
+
+export DEBIAN_FRONTEND=noninteractive
+export SUDO_FORCE_REMOVE=yes
+apt-get purge -q -y userconf-pi avahi-daemon triggerhappy dpkg-dev patch gdb make strace ssh-import-id network-manager udisks2 p7zip p7zip-full sudo dphys-swapfile
+apt-get autoremove -q -y
+dpkg -l | grep "^rc" | awk "{ print(\$2) }" | xargs -r dpkg -P
+
+sed 's#systemd.run=/boot/firstrun.sh systemd.run_success_action=reboot systemd.run_failure_action=none systemd.unit=kernel-command-line.target##' -i /boot/cmdline.txt
+sed 's#\s*$##' -i /boot/cmdline.txt
+rm "$FW_LOC/firstrun.authorized_keys"
+rm "$FW_LOC/firstrun.sh"
+rm -f /etc/sudoers.d/010_pi-nopasswd
+rm -f /etc/apt/sources.list.d/vscode.list
+rm -f /etc/apt/trusted.gpg.d/microsoft.gpg
+
+apt-get update -q
+apt-get dist-upgrade -y -q
+
+{# B1 -> Console, B2 -> console autologin, B3 -> desktop, B4 -> desktop autologin #}
+raspi-config nonint do_boot_behaviour B1
+systemctl --quiet enable getty@tty1
diff --git a/roles/installer/raspios/image/vars/main.yml b/roles/installer/raspios/image/vars/main.yml
new file mode 100644
index 00000000..7c547ce2
--- /dev/null
+++ b/roles/installer/raspios/image/vars/main.yml
@@ -0,0 +1,4 @@
+---
+raspios_download_url: "https://downloads.raspberrypi.org"
+
+raspios_download_image_base_name: "{{ raspios_download_url_image | urlsplit('path') | basename }}"